Technology giants Google and Apple are making their jointly developed Exposure Notifications System available through software updates. With these updates, public health agencies (PHAs) around the globe can begin to deploy apps that make use of exposure notifications.
The application programming interface (API) released today is the result of feedback the joint project team received from hundreds of conversations over the past five weeks with PHAs, NGOs, academics, government officials and privacy experts in America and dozens of countries across five continents.
As of May 21, 22 countries on five continents have requested and received access to the API with more expected to join in the coming weeks. The firms will begin shipping this first phase of the Exposure Notification System. They are also looking at working with PHAs more to develop and improve the system to achieve the goals of broad user adoption with this privacy-forward approach.
According to the two firms, building the API is in response to challenges associated with interoperability, battery life, and privacy. The API is aimed at helping PHAs maximize the potential of Bluetooth technology. The resulting API addresses these challenges and helps PHAs build Exposure Notification apps that become part of robust, comprehensive programs grounded in testing, conventional contact tracing and containment. Exposure Notifications technology is a supplement to, not a substitute for traditional contact tracing and both companies are firmly grounded in the fact that it’s another tool at the disposal of PHAs — not a silver bullet.
Throughout the process, Apple and Google have solicited feedback, released multiple beta versions of the software, and posted documents publicly to help developers. These documents include the Bluetooth, cryptography, and API specifications, sample apps with source code, and a reference server implementation. They published the technical specifications very early in the process to solicit the widest feedback possible and have updated them many times since in response.
In response to feedback from PHAs:
- The API will allow PHAs to define what constitutes an exposure event
- The API will allow PHAs to determine the number of exposure events an individual has had
- The API will allow PHAs to factor transmission risk of positive cases into their definition of an exposure event
- A combination of the API and data that users voluntarily choose to input into the app allows PHAs to contact exposed users
Through all of these conversations, the goal was to find how to best meet PHAs’ need for technological support while respecting user privacy, consent, and control. Understanding that user trust will be critically important to the success of the apps, PHAs and privacy experts were also crucial collaborators on stronger privacy and data security protections, including:
- Updated the API so that daily Temporary Exposure Keys are generated randomly rather than being derived from a tracing key. This change strengthened the privacy of the system and makes it more difficult for someone to guess how the keys are derived and use that information to try and track people.
- Encrypted all metadata associated with Bluetooth traffic to make it more difficult to identify a person (for example, by associating the transmit power with a particular model of phone).